ALSO  INSIDE:  Recession  Hits  Older  IT  Workers  Hardest 
Desktop  Virtualizations  Dirty  Little  Secret 


GROW 

vouro- 

CIO 


IN-HOUSE  DEVELOPMENT 
PROGRAMS  CAN  IllirtlllV 
UP-AND-COMING  LEADERS 


Building  the  engines  of  a  Smarter  Planet: 

How  midsize  businesses  can 
get  ahead  by  backing  up. 

As  the  engines  of  a  Smarter  Planet,  midsize  companies  are  faced  with  exponential  data  growth  in  their  business 
operations.  Losing  information  isn't  an  option.  Yet  with  tighter  budgets  and  fewer  resources,  midsize  companies 
find  it  difficult  to  maintain  a  reliable  in-house  data  backup  and  recovery  system.  That's  why  IBM  and  its  Business 
Partners  are  using  the  power  of  the  cloud  to  offer  enterprise-level  data  protection  designed  to  reduce  your  risk  and 
meet  your  budget.  Introducing  cloud-based  backup  from  IBM.  A  smarter  infrastructure  should  help  ensure  that  your 
data  is  continuously  backed  up  in  one  of  IBM's  150  data  centers  worldwide— so  the  moment  files  are  saved,  they're 
protected.  Anywhere.  Anytime.  Just  go  on  with  your  business,  and  IBM  will  take  care  of  the  rest,  Here's  how  it  works: 


1  Lower  your  total  cost  of  ownership  by  up  to  40%. 

Work  with  an  IBM  Business  Partner  to  compare 
your  in-house  system  to  a  scalable  IBM-managed 
cloud  service  that  avoids  capital  expenditures. 

2  Enjoy  security-rich,  automated  backup. 

Data  is  backed  up  the  moment  files  are  saved. 

3  Get  what  you  need,  when  you  need  it  In  the  cloud, 
your  data  is  readily  available  so  you  can  make  smarter 
business  decisions  and  increase  productivity. 

4  Free  up  valuable  resources.  95%  of  your  savings 
are  derived  from  focusing  IT  staff  on  more  strategic 
initiatives  instead  of  routine  maintenance,  as  well  as 
reducing  backup  hardware,  software,  and  tape  media. 

IBM  Information  Protection  Services 
managed  backup  cloud 
is  designed  and  priced  with  midsize 
companies  in  mind.  Services  start  at 

.liO  O  C  PerSGBseat 
Q  per  month.' 

Try  cloud-based  backup 
from  IBM  free  for  60  days. 


Midsize  businesses  are  the  engines  of  a  Smarter  Planet. 

To  learn  more  about  services  like  Information  Protection,  connect 
with  a  Business  Partner,  of  get  set  up  now,  call  1-877-IBM-ACCESS  or 
visitibm.com/engines/informationprotection 


THIS  ISSUE  I  02.07.2011  [ 


READER  FEEDBACK 


LETTER  TO  THE  EDITOR 

A  Free  Market,  Not 
Government,  Drives 
U.S.  Innovation 


■believed,  the  US. 


Find  these  stories  at  coinputerworid.i 


When  Trusted  IT 
People  Go  Bad 

One  rogue  IT  employee 


nputerworldxom/s/ 


2011:  Year  of  the 
Desktop  AppStore? 


DISASTER  RECOVERY 


Tech  Staffers  Help  Aussie  Flood  Victims 


Australia’s  IT  community  has 

banded  together  to  donate  surplus 
computer  equipment  to  schools  and 
small  businesses  a&cted  by  last 
month's  flooding  in  the  state  of  Queensland. 

The  Queensland  IT  Flood  Relief  program 
was  established  by  Datacom  Group  Ltd. 
employee  Lewis  Benge,  who  saw  the  poten¬ 
tial  for  one  company’s  IT  trash  to  become 
treasure  for  Queenslanders  who  had  lost 
everything  in  the  raging  waters. 

“I  was  sitting  in  my  ofiice  and  staring  at 


(uww.qlditreli(^.OTg)  to  streamline  the  dona¬ 
tion  process. 

So  far.  organizations  have  pledged  PCs, 
Macs,  printers  and  multifunction  devices, 
j  and  networking  equipment,  Beiige  said. 

(All  donated  equipment  will  be  refurbished 
before  delivery.)  With  donations  stream¬ 
ing  in,  he  said,  the  relief  group  now  needs 
logistics  equipment,  such  as  palettes,  to  help 
transport  the  goods  to  Brisbane,  Queens- 


down  on  intracity  travel 
Pleasanton.  Calif.-based  Spigit 
Inc.  provides  the  collaborative  filter¬ 
ing  software  for  ideaMarket  as  a 


Bloomberg,  in  his  recent  State  of 
the  aty  address,  praised  the  project 
and  suggested  that  he  might  open 


weH. 'This  kind  of  open  call  for  ideas 
-  or  'crowdsourcing.'  as  it's  called  - 
has  helped  cutting-edge  companies 
like  Facebook  and 


Datacom  also  is  seeking  IT 


Tax  Law  May  Accelerate  IT  Purchases 


A  SO-CALLED  lOO^fc  bonus  depre 

elation  tax  benefit  approved  by  the 
U.S.  Congress  in  December  may 
encourage  JT  managers  to  buy  new 
equipment  before  the  tax  break  expires  at  the 
endofihis>-ear. 

The  tax  benefit,  part  of  Congress'  tax-cut 
bill,  was  made  retroactive  to  Sept.  8.  the  day 
President  Barack  Obama  pitched  the  idea  as  a 

Greg  Rosica.  a  tax  partner  at  Ernst  &  Young 
LLP.  said  it  normally  takes  up  to  five  years  to 
realize  the  full  lax  benefits  from  depreciation 
on  new  equipment,  such  as  servers.  But  the 
ioo%  bonus  depreciation  allows  a  company  to 
take  the  entire  benefit  in  the  first  year. 

The  amount  of  the  tax  benefit  depends 
on  the  type  of  business  and  its  lax  rate.  For 
instance,  a  business  that  pays  the  top  corpo¬ 
rate  tax  rate  of  35%  and  spends  $100,000  on 
new  equipment  can  reduce  its  tax  bill  in  the 
current  year  by  $35,000,  Rosica  said. 

There’s  no  cap  on  the  amount  of  equipment 


afall- 


The  tax  benefit's  relatively  short  wim 

shortages  of  key  components.”  said  Sca^ 
The  hip  side  of  this  bt 


problem  with  trying  to  fine-tune  tax  treat¬ 
ment;  there  are  almost  always  unintended 
consequences,”  said  Scavo. 

Howard  Hammer,  a  principal  at  account¬ 
ing  firm  Fiske  &  Co.,  said  the  tax  benefit  is 
“going  to  have  a  tremendous  effect”  on  buying. 
“Medium  and  large  corporations  have  been 
stockpiling  cash  for  quite  a  while,  and  I  think 
now  they  are  going  to  jump  on  it,”  he  said. 

-  Pafriefe  Tln/Mx/t-au 


Telnet  uses.  Tt»di  marks  a  arn  -.-htr 
imusiuti  spike  tor  the  ag  i  w  1;  : 

Telitet  has  been  gradually  re- 
[.fared  bv.St*cure Shell,  ur  SSH. 

rpiriotely.  Aitniinistjainrs  are  gwief- 
u;;v  advised  to  disable  leimn  it  the 
protocol  isn't  being  used,  m  order 
t'j  prevent  attacks  targeting  it.  but 

The  report  said  the  attacks  are 
iJi  obably  coming  from  malware- 
infected  PCs  connecting  to  wireless 
tretworks.  not  from  mobile  devires. 

Telnet’s  Port  ?3  was  "overwtrelm- 
mgly  the  lop  largeierl  port  tor 
attacks"  in  Egypt.  Peru  and  Tuikev. 

Akamai  found  that  Purr  440.  com- 
monly  used  tor  Microsott  prodiicfs. 
was  the  most  targeted  puf  1.  but  ttie 


4  COMPUTERWORLD  F  E  B  R  U  A  R Y  7.  201 1 


WASHINGTON  WATCH 


Tax  Law  May  Accelerate  IT  Purchases 


ASO-MLLEO  lOOH  bonus  depre¬ 
ciation  tax  benefit  approved  by  the 
U.S.  Congress  in  Decenaber  may 
encourage  IT  managers  to  buy  new 
equipment  before  the  tax  break  expires  at  the 
end  of  this  year. 

The  tax  benefit,  part  of  Congress'  tax-cut 
bill,  was  made  retroactive  to  Sept.  8,  the  day 
President  Barack  Obama  pitched  the  idea  as  a 

Greg  Roska,  a  tax  partner  at  Ernst  &  Young 
IXP,  said  it  normally  takes  up  to  five  years  to 
realize  the  full  tax  benefits  from  depreciation 


that  can  be  depreciated,  but  it  must  be  new. 

Frank  Scavo,  president  of  research  firm 
Computer  Economks  Inc.,  said  the  tax  change 
will  affect  the  timing  of  IT  purchases.  “Buyers 
who  are  looking  out  i8  months  now  may  move 
acquisitions  into  2011  to  take  advantage  of  the 
accelerated  depreciation,"  he  said. 

The  tax  benefit’s  relatively  short  window 
"could  create  a  mini-boom  in  new  equipment 
purchases,  perhaps  even  [leading  to]  some 
shortages  of  key  components,"  said  Scavo. 

The  flip  side  of  this  benefit  may  be  a  &ll-off 
in  new  purchases  in  2012,  he  said.  “This  is  the 


networks  during  2010's  third  quarter 
were  directed  at  Port  23.  which 
Telnet  uses.  That  marks  a  somewhat 
unusual  spike  for  the  aging  protocol. 

Telnet  has  been  gradually  re¬ 
placed  by  Secure  Shell,  or  SSH. 
as  a  means  of  accessing  servers 
remotely.  Administrators  are  gen 
ally  advised  to  disable  Telnet  if  th 
protocol  isn't  being  used,  in  orde 
to  prevent  attacks  targeting  it.  bt 
some  forget  to  do  so. 

The  report  said  the  attacks  are 
probably  coming  from  malware- 
infected  PCs  connecting  to  wirele 
networks,  not  from  mobile  devici 

Telnet's  Port  23  was  ‘overwheli 
ingly  the  top  targeted  port  for 


Building  the  engines  of  a  Smarter  Planet: 

How  midsize  businesses  get  more  from 
their  data,  while  paying  less  to  store  it. 

On  a  smarter  planet,  information  doesn't  just  grow- it  evolves.  That's  why  midsize  businesses  need  a  storage  system 
designed  to  grow  with  both  their  business  and  their  increasingly  complex  Information.  Enter  the  IBM®  Storwlze® 
V7000,  a  compact  midrange  disk  system  designed  and  priced  for  midsize  companies.  The  IBM  Storwize  V7000 
Includes  advanced  features  like  storage  virtualization,  thin  provisioning,  and  automated  tiering  at  no  additional  cost, 
helping  midsize  companies  store  their  data  in  a  way  that's  simple,  flexible  and  affordable.  Here's  how: 


IT  pros  who  are  over  55,  especially  women,  face  long-term 

joblessness.  Cloud  and  healthcare  expertise  are  pluses  or  older  generally  “remain  unemployed 

thesedays-ByPatridcTlillHHleauandSliaranMadife 


unemployed,  she  quickly  started  looting  for  another  joh  as  a 
husiness  system  analyst  and  project  manager. 

The  recession  hadn't  hit  yet,  and  McIntyre  initially  had  nun 


ous  intMviews  that  seemed  promising.  Nonetheless,  it  took  eigjit 
months  to  land  a  consulting  job.  “Iwasbegmningtosuspectit 
was  an  age  problem,-  she  said. 

The  recession  ended  McIntyre’s  consulting  job.  She  found 
shmt-term  contract  work  in  2009  and  then  landed  a  six-month 
assignment  that  recently  ended. 

The  latest  data  from  the  U.S.  Bureau  d  labor  Statistics  shows 
that  overall  unemployment  in  “computer  and  mathematical 

6  COHrUTERWORLD  FEBRUARY  7,  2011 


Schimizzi  doesn’t  expect  much  im¬ 
provement  in  fiiU-time  job  prospects  for  older  IT  workers  even  as 
the  economy  starts  to  grow.  “I  think  full-time  positions  are  going 
to  be  staffed  from  the  younger  workforce,"  she  said. 

A1  Williams,  a  director  <rf  IT  at  Pennsylvania  State  University 
and  vice  presidem  of  independent  IBM  user  group  Siare,  said 
workers  over  50  may  concern  corporate  hiring  managers  because 
they  might  resist  change  and  generally  command  higher  salaries 
than  younger  people.  “I  think  the  biggest  risk  in  IT  is  we  tend  to 
define  ourselves  with  the  technology  we  like,  rather  than  aligning 
ourselves  with  the  strategies  the  business  needs,”  said  Williams. 

Todd  Thibodeaux,  president  and  CEO  of  the  Computing  Tech¬ 
nology  Inrhistry  Association,  said  that  older  workers  with  specific 
skills,  mostly  in  cloud  computing  and  electronic  health  systems, 
are  still  in  demand. 

The  age  issue  is  likely  to  gain  importance  because  of  the  sheet 
size  of  the  baby  boom  generation  —  per^  bom  between  1946  and 
1964,  who  make  up  more  than  25%  of  the  US.  population.  A  2010 
federal  government  stuily  found  that  60%  of  the  IT  workforce  hr 
2008  was  made  up  of  people  between  45  and  63  years  d  age.  * 


^  1 


Egypt  ’Net  Shutdown: 
\fekenpCaU  for  CIOs 

Analysts  say  any  government  could  shut  down  Internet 
access  in  a  national  emergency,  so  IT  execs  need  a  plan 
of  action.  By  Patrick  Thibodeau  and  Juan  Carlos  Perez 


Ecvprs  CRACKDOWN  on  Internet  use  amid  huge  anti- 

govemment  protests  should  serve  as  a  warnii^  that  CIOs 
around  the  world  must  create  contii^ency  plans  to  deal 
with  the  potential  shutdovra  of  critical  infrastructure. 
The  Internet  was  mostly  inaccessible  to  Egyptians  for 
about  five  days.  Citizens  began  reporting  the  widespread  return 
of  online  connections  last  Tuesday. 

Virtually  any  government  in  the  world  can  temporarily  nation¬ 
alize  and  control  critical  infrastructure,  which  iiKhides  mobile 
networks,  fized-Iine  telecommunications  and  Internet  backbone 
systems,  during  natural  disasters,  terrorist  attacks  or  any  other 
national  emergency,  said  Eric  Paulak,  an  analyst  at  Gartirer  Inc. 
“This  scenario  isn’t  so  far-fetched,”  he  said.  “It’s  just  that  you 


systems  to  run  key  corporate  or  govern¬ 
ment  applications,  said  Michael  Osterman, 
an  analyst  at  Osterman  Research  Inc.  “If 
organizations  are  reliam  on  cloud-based 
services,  this  would  be  a  critical  problem." 

“Companies  doing  business  in  arty 
coumry  should  assess  potential  loss  of  Inter¬ 
net  access  as  part  of  their  risk  management 
strategy  and  fector  it  into  the  cost  of  doing 


analyst  at  Nucleus  Research  Inc. 

'The  analysts  suggested  creating  offline 
capabilities  for  doud-based  systems  and 
providing  key  users  with  access  to  backup 
satellite-based  phones  and  Internet  access 
during  emergencies. 

IT  executives  based  in  ^ypt  said  the 
widespread  protests  and  the  government’s 
response  disrupted  the  country’s  growing 
tech  operations. 

Yahia  Megahed,  vice  president  arrd  su¬ 
pervisor  of  the  Egyptian  branch  of  Symbyo 
Technologies  Inc.,  a  U.S.-based  IT  services 
firm,  said  some  workers  there  were  able  to 
access  the  Internet  via  proxies,  but  tttost 
had  no  recourse.  The  shutdown  “definitely 
afected"  the  busine^  he  added. 

'The  Egyptian  government  has  been 
aggressively  sellirtg  the  country  as  an  out¬ 
sourcing  destination. 

Hewlett-Packatd  Co.,  one  of  the  uo 
companies  located  in  Cairo’s  ei^-year- 
old  Smart  Village  IT  office  park,  told  its 
workers  to  stay  home  during  the  protests. 
Microsoft  Cocp.,  which  also  has  an  office  in 
the  park,  said  in  the  midst  of  the  protests 
II  center  activities  run  from  Egypt  had  “been 


IBM,  Oracle,  Indian  outsourcer  Wipro  and  other  top  compa¬ 
nies  have  also  set  up  shop  in  Smart  Village. 

“The  country  has  invested  milliotts  to  promote  its  capabilities 
—  and  now  that  investment  is  looking  under  threat,"  said  Phil 
Fersht,  CEO  and  head  of  research  at  HfS  Research,  an  outsourc¬ 
ing  research  and  advisory  firm. 

Megahed,  though,  is  confident  that  Egypt  will  remain  attrac¬ 
tive  to  high-tech  firms.  “Egypt  is  considered,  despite  what  hap¬ 
pened  this  week,  to  be  a  suble  country,"  he  said.  • 

Perez  is  a  reporter  for  the  IDG  News  Service.  Maitya  WHIaillS  of  the 
IDG  News  Service  and  Gregf  Kcizer  contributed  to  this  story. 


The  country  has  invested  millions  !  i  nin:.  •  f  ipabiliiit- 
IS  looking  under  threat. 


PROPFCCIOMAI 

WFRCITPC 


FREE! 

HURRY -OFFER  ENDS 
2/28/2011! 


As  the  world's  largest  web  host,  we  know  the  developer 
features  you  need  in  a  hosting  package! 

con;  Domains  Included 
•  info  .Org  All  hosting  packages  include  domains, 
net  package. 


■  UNLIMITED  Traffic 

■  NEW:  Version  Managcinont 
Software  (git) 

■  2.S00  E-mail  Accounts 


■  50  MySQL  Database  (100  Ml) 


^  Unlimited  Traffic 

J  Unlimited  traffic  to  all  websites  in  your 
1&1  hosting  package. 


■  25  FTP  Accounts 

■  E-mail  Marketing  Tool 

■  24/7  Toll-free  Customer  5ugpoft 


Developer  Features 

Extensive  language  support  with  PHP  5/6  (beta)  with 
Zend  Framework  and  git  version  management  software. 

Online  Marketing  Tools 

SEO  tools  to  optimize  your  website. 

1&1  Webstatistics  makes  it  easy  to  monitor  your  progress. 


Need  more  domains? 

•info  domain  only  $0.99  first  yoar* 
•com  domain  only  $4.99  first  year' 

More  special  offers  available  OB 
our  websitel 


Green  Data  Centers 

We're  committed  to  hosting  your  site  with 
a  minimal  impact  on  the  environment. 


Get  started  today,  call  1-877-GO-1AND1 


www.landl.com 


Continued  from  page  8 

within  their  reach.  We  also  have  a  strong  focus  on  how 
technology  can  benefit  microfinance  institutions  and 
have  developed  management  software  called  Milos 
tailored  to  the  ^iecilic  needs  of  these  institutions.  I 
work  closely  with  teams  based  in  Seattle,  Uganda, 
Ghana,  Kenya  and  Indonesia  to  diiect  these  efforts. 

Hnt  do  fM  dtflnt  or  mnsare  succMS  for  you  and 
your  team?  At  the  end  of  the  day,  success  is  about 
having  a  measurable  improvement  on  people’s  lives. 
That’s  a  long-term  outcome  we  look  for.  The  interme¬ 
diate  stages  ate  identifying  where  there  ate  market 
gaps,  where  information  services  could  have  a  mean¬ 
ingful  impact  on  people’s  lives  but  for  one  reason  or 
another  they’re  not  being  provided.  And  K’s  identify¬ 
ing  potential  solutions  to  ^dress  those  gaps  using 
basic  mobile  phones,  understanding  what  content 
could  be  delivered,  and  developing  models  that  are 
self-sustaining  from  an  economic  perspective. 

WIntmtkiliiaHteiMfodMiutMtiiicunrMni 
fodwofogy  lute  tin  puorrttloui  you  lervtf  The 

beauty  of  it  is  that  there  ate  over  5  Inllion  mobile  [diones 
in  the  world  today,  and  almost  8o%  ate  in  emeiging 
maikets.  And  what’s  impressive  about  that  number 


besides  the  magnitude  is  that  unlike  in  the  U.S.,  there’s 
a  lot  of  sharing  [of  mobile  phones]  in  emeiging  maikets. 
So  the  challenges  aren’t  around  putting  technology  in 
their  hands.  The  challenges  are  rntne  around  develcp- 
ing  services  that  can  be  easily  used  and  [are]  affordable. 
Theie  are  high  illiteracy  rates  and  multiple  languages, 
so  addressing  those  are  also  challenges.  And  cost  can  be 
a  challenge.  In  Uganda,  for  e*am[de,  government- 
imposed  taxes  on  minutes  and  handsets  are  very  high. 


CIS?  The  first  is  the  trusted  intermediary  model.  We 
realized  early  on  that  information  alone  is  not  suf¬ 
ficient  to  change  people’s  behavior,  which  is  how  we 
achieve  impact.  What’s  required  is  having  a  trusted 
member  of  the  community  serve  in  an  intermediary 
role  where  they  know  how  to  discover  the  informa¬ 
tion,  how  to  use  the  information  and  how  to  contex¬ 
tualize  that  information.  We’ve  developed  networks 
of  trusted  intermediaries,  such  as  community  [agri¬ 
cultural]  knowledge  workers  in  Uganda,  community 
health  nurses  in  Ghana  or  a  network  of  entrepreneurs 
who  use  their  mobile  phones  in  Indonesia. 

And  then  the  second  is  to  use  the  phone  for  voice 
services  as  well,  which  is  sort  of  obvious,  but  not 
always.  What  we  found,  especially  to  overcome  some 
of  the  challenges  with  illiteracy,  is  that  many  people 
prefer  to  receive  voice  messages.  They  have  the 
option  of  receiving  text  messages  or  voice  messages 
in  their  native  language,  and  90%  of  the  time  they 
prefer  to  have  voice  messages. 

You’ve  used  the  terra  “inforraation  poverty.”  What 
do  you  mean  by  that?  It’s  that  inability  to  have  infor¬ 
mation  at  your  fingertips  that  will  help  you  improve 
your  life  or  livelihood.  The  phone  really  changes 
that  dynamic  to  the  extent  that  information  services 
can  be  delivered  over  the  phone.  It  makes  it  so  that 
poverty  and  information  flows  can  be  addressed. 

You  once  said  that  the  mobile  phene  has  the  poten¬ 
tial  to  level  Oie  pfoythg  field  la  termf  Of  access  to 
informatioo.  Are  «e  there  yet?  We’re  just  skimming 
the  surface.  I  think  a  lot  of  progress  has  been  made  in 
the  last  two  to  three  years,  but  when  you  look  at  the 
number  of  concepts  that  have  scaled,  there  are  really 
very  few.  There  are  more  than  5  billion  phones  in  the 
world,  and  such  a  huge  percentage  are  in  the  hands  of 
people  in  emeiging  markets,  so  the  potential  is  there, 
but  it  has  not  yet  been  realized. 

What  can  traditional  IT  shops  and  tech  companies 
learn  from  your  work?  That  there’s  the  opportunity 
to  develop  for  what’s  commonly  called  the  base  of  the 
socioeconomic  pyramid.  There’s  a  very  large  market 
if  you  can  tailor  products  to  meet  the  market  needs. 

—  Interview  by  Computerwodd  contributing  writer 
Mary  K.  Pratt  finaiyitf>ratt@verizon.net) 


10 


FEBRUARY  7. 


The  fact  ttiata 
team  that  had  so 
much  promise 
had  failed  to 
deliver -again - 
reminded  me  of 
something:  IT. 


Thornton  A.  Hay 

is  the  author  of 
The  New  Know:  Innovation 
Powered  by  Analytics 
and  executive  director 
of  the  IT  Leadership 
Academy  at  Florida  State 
College  at  Jacksonville. 
You  can  contact  him  at 
thorntonamayS 


-  OPINION 

TIIOIMfroNA.iyiAY 


Tom  Brady,  the  Patriots 
And  IT  Expectations 

A  FEW  WEEKS  AGO,  football  fans  in  New  England  watched  in  horror 
as  quarterback  Tom  Brady  and  the  Patriots  suffered  an  unattract¬ 
ive  loss  to  their  trash-talking  divisional  rivals,  the  New  York  Jets. 
The  next  day,  sports  fans  throughout  the  region  were  numb. 


The  &ct  that  a  team  that  had  held  so  much  promise, 
had  consumed  so  much  of  the  community’s  time 
and  attention  and  had  been  lavished  with  money 
had  failed  to  driver  —  qgoin  —  reminded  me  of 
something  else.  I’m  sorry  to  say,  it  was  IT. 

In  every  discipline,  expectations  and  their 
management  have  always  been  part  of  the  leader¬ 
ship  to<^  kit.  Yet  not  many  executives  and  very  few 
football  hms  have  really  studied  the  mechanisms 
of  where,  when  and  how  expectations  get  set.  A 
big  contributor  is  historical  performance. 

Experts  in  international  development  observe 
that  for  the  past  20  years,  there’s  been  talk  about 
Brazil’s  bri^t  future  —  a  tirrre  of  prosperity  that 
is  always  just  around  the  comet  but  never  arrives. 
As  a  result,  wben  we  beat  talk  today  about  Brazil’s 
prospects,  oirr  expectations  are  greatly  lowered. 

Conversely,  the  Patriots  have,  in  a  reasonably 
corttpressed  time  span,  won  three  Super  Bowls.  In 
a  league  that  aggressively,  outspokenly  and  very 
effectrvely  creates  rules  and  regirlations  designed 
specifically  to  prevent  any  one  team  from  domi¬ 
nating  the  sport,  is  it  rational  to  errpect  the  Pa¬ 
triots  to  win  the  Super  Bowl  every  year?  Perhaps 
not,  but  the  fans’  expectations  are  nonetheless 
heightened  by  a  recent  record  of  great  success. 

first  as  the  Patriots  have  their  troika  of  champi¬ 
onships,  enterprise  IT  has  its  trifecta  of  underper¬ 
formance  —  ERP,  the  dot-com  push  and  YzK. 

Management  teams  still  vividly  remember  that 
during  the  late  ’90s,  IT  swore  that  if  the  enterprise 
did  not  deploy  an  intergalactic  ERP  backbone, 
the  wheels  were  going  to  foil  off.  Yes,  it  would 


require  a  multimillion-dollar  investment,  but  we 
guaranteed  that  it  woidd  pay  off.  Instead,  many 
enterprises  ended  up  pouring  as  much  as  twice 
the  budgeted  amoimt  down  a  sinkhole. 

Next  came  the  Web.  Fearing  that  incumbent 
markets  would  be  Amazonized,  we  heavily  invest¬ 
ed  in  e-commerce  platforms  while  webifying  the 
enterprise.  Researchers  place  the  total  price  tag  on 
the  Internet  buildout  at  roughly  $2.2  trillion. 

At  about  the  same  time,  we  fed  the  YzK  panic. 
Executives  were  given  a  choice;  They  could  load 
up  on  tuna  fish,  K  rations  and  peanut  butter  and 
move  to  the  hills,  or  they  cotdd  remediate  every 
piece  of  software  code  in  the  joint.  Yet  again,  it 
appeared  as  if  IT  was  holding  a  gim  to  the  head  of 
the  organization  and  saying,  “Spend  more  money.” 

'This  IT  track  record  —  which  I  have  rendered  very 
nonsympatbetically  —  may  be  part  of  the  reason  that 
for  t^  first  decade  of  the  new  millennium,  IT  was 
in  many  cases  benched  and  had  to  fociis  on  cost 
reductions  rather  than  top-line  revenue  generation, 
and  on  consolidation  instead  of  iimovation. 

And  so  IT  was  sidelined  just  as  a  golden  age  of 
innovation  in  consumer  electronics.  Enterprise 
employees  can’t  help  but  notice  the  yawning  gap 
between  the  experience  of  using  their  consumer 
tech  and  the  experience  of  using  the  older  systems 
that  run  on  their  computers  at  work. 

By  next  year,  the  ^s  will  have  forgotten  the 
Patriots’  ugly  loss  and  will  expect  greatness  again. 
As  for  IT,  I’m  not  (xrtain  that  it  has  a  lot  of  fans,  or 
that  those  it  has  will  remain  kryal.  Enterprise  IT  is 
a  franchise  in  trouble.  It’s  time  for  a  turnaround.  ♦ 


12  COHPUTElWOdO  FEBRUARY  7, 


CJ5 


CJs 


hp 


PRINT 


COVER  STORY 


Continued  /rom  page  14 
agemoit  along  with  role-playing  exercises 
to  explore  the  Thomas-KUinann  model  of 
confiict  resolution.  Guest  speakers  included 
C-level  executives  as  well  as  former  at¬ 
tendees  who  had  gone  on  to  become  QOs. 
A  post-session  happy  hour  and  dinner  gave 
participants  a  chance  to  network,  exchange 
insights  and  simply  blow  off  steam. 

It  might  sound  like  your  typical  leader¬ 
ship  development  seminar,  but  CIO  Univer¬ 
sity  sunds  apart  in  several  ways. 

For  one  thing,  the  curriculum  is  fine- 
tuned  to  specifically  meet  the  needs  of  IT 
management.  For  another,  instead  of  being 
sponsored  by  a  university  or  an  IT  trade  as¬ 
sociation,  with  attendance  open  to  IT  execs 


You  can  send  someone 
toCallfbmIafora 
week  and  pay  $lOyOOO 

...  but  the  real  value 
comes  with  having  an 
experience  as  a  team. 

HART.  CIO. 

CLEARWIRE  COMMUNICATIONS  LLC 


Internal  programs  help  with  recruit¬ 
ment  and  retention  of  hi^-performing  IT 
persotmel  interested  in  career  advance¬ 
ment,  Hart  and  others  say,  but  beyond 
that,  they  foster  leadership  development 
on  an  organizational  level,  a  key  benefit  to 
the  sponsoring  company. 

“You  can  send  someone  to  California  for 
a  week  and  pay  $10,000  for  the  individual 
experience,  but  the  real  value  comes  with 
having  that  experience  collectively  as  a 
team.  The  team  becomes  better  able  to 
understand  the  context  of  working  together 
and  building  relationships,"  says  Hart.  “It's 
about  having  people  feel  a  real  sense  of  in- 


from  muhiple  organizatkms,  this  leadership  program  was  home¬ 
grown  by  a  single  company  for  its  high-performing  IT  staffers  only. 

Conceived  and  implemented  by  Kevin  Hart,  CIO  at  Oearwite 
Communications  LLC  in  Kirkland,  Wash..  CIO  U  aims  to  serve 


vestment  in  their  career  and  in  their  future." 

CLEARWIRE: 

Real-World  Problem-Solving 

Andrew  Macaulay,  Ciearwire’s  vice  president  of  IT,  attended 
CIO  U  as  a  Level  3  Communications  employee  and  then  again 


'.Windows  Azure 


•'sacj 


A 


I  CAN  TURN  WISHFUL 
-  THINKING  INTO 
A  BUSINESS  PLAN. 

I  HAVE  CLOUD  POWER. 


Wiiui.,'.',  ^  Aziiie  IS  a  platform  for  developi'^o  o 
lunr-vj  applications  in  the  cloud  with  wit^.ally 
scalability.  That  means  ncai  infm-te  ranacitc  '.vl' 
t  s  the  kind  of  flexibility  that  cw'  :  hange  tin- 
inisine^ss  With  Windu'Ab  A.-IIIP  nsnuciiicn  re  m 
worst-case  planning  an. I  m- in- hwA  .piaci 

Thai  s  n.md  Powei 


I'  Cloud  Po','. c-i  at  Microsoft.com/cloud/azure 


Microsoft 


Cloud  Power 


COVER  STORY 


Connnued  from  page  i6 

a  manager/employiee  checklist,  an  “onboarding"  program  to  bring 
new  IT  emph)^  up  to  speed,  a  directive  to  tie  IT  performance 
goak  to  company  goals,  a^  sponsorship  of  additional  communica- 
tioo  forums,  like  roundtable  discussions  and  newsletters. 

When  a  follow-up  survey  was  conducted  six  months  later  to 
gauge  progress,  the  IT  team  bad  made  some  impressive  gains.  “If 
there  isn’t  a  benefit  to  the  company,  then  the  wlmle  value  propo¬ 
sition  falls  apart,"  Hart  says. 

DIREa  ENERGY: 

Three  Training  Levels 

Direct  Energy,  a  $9  billion  electricity  and  natural  gas  utility  with 
operations  in  several  North  American  markets,  o%rs  a  three-tier 
IT  leadership  development  initiative  that  blends  both  internal 
and  external  resources. 

At  the  junior  level,  the  company  recruits  from  the  t<^ 
engineering  schools  and  then  has  new  hires  participate  in  an 
intensive,  company-run  two-year  training  program.  The  train¬ 
ing  includes  work  toward  a  range  of  certifications  and  rotating 
assignments  in  different  areas  of  the  business,  itKluding  stints  in 
non-IT  posU  and  in  various  locales  around  the  world. 

Midlevel  IT  fidks  may  be  selected  to  participate  in  a  leadership 
program  that  was  tleveloped  by  Direct  Energy’s  IT  group  but  is 
run  in  conjiuction  with  other  companies  and  outside  leader¬ 
ship  experts,  according  to  Kumud  Kalia,  Direct  Energy’s  CIO. 
Top-level  IT  execs  are  encouraged  to  participate  in  webinars, 
attend  seminars  and  enroll  in  external  leadership  development 
prcrgrams  for  a  mote  customized  training  experience. 

Leveraging  both  internal  and  external  resources  makes  sense  for 


a  company  of  Direct  Energy’s  size, 
Kalia  says.  Although  Direct  Energy 
is  bigger  than  Clearwite  and 
maintains  a  latgn^  IT  workforce, 
Kalia  says  it  wrxild  be  for  too  cosdy, 
in  terms  of  both  money  and  time, 
to  develop  and  run  such  a  divetse 
leadershiptraining  program  inter¬ 
nally.  In  addition,  he  says  he  doesn’t 
think  there  are  enough  h^h-level 
IT  roles  within  the  company,  which 
employs  about  500  IT  personnel  in 
all,  to  justify  funding  an  internally 
run,  ClO-spedfic  program. 

Nevertheless,  Kalia  feels  strongly  that  ITIeadership  developmsit 
on  any  scale  is  essential  for  attracting  and  nurturir^  top  talent 
“People  don’t  want  to  join  a  company  and  have  a  great  first  year  only 
to  keep  repeating  the  great  first  year  for  10  years,”  Kalia  says.  “People 
cate  about  career  development  They  seek  out  enhanced  scope  of 
teqionsibility,  and  if  they're  not  getting  it  from  their  employe,  they 
will  go  elsewhere.  We  want  to  make  sure  we  have  those  things  here.” 

PURDUE  PHARMA: 

No  Faking  Internal  Training 

Punlue  Pharma,  a  $3  billion  pharmaceutical  company,  also  cham¬ 
pions  a  mix  of  internal  and  external  IT  leadership  training  Each  of 
the  Stamford,  Corut-based  company’s  110  IT  employees  has  an  indi¬ 
vidual  development  plan,  and  tbete  are  rotating  IT  job  assignments. 

Moreover,  a  handful  of  high-potential  IT  managers  are  selected 
to  participate  in  an  internal  executive-coaching  program  that’s 
run  by  the  CIO  in  {injunction  with 
human  resources,  to  get  exposure  to 
senior  management  responsibilities.  In 
this  program,  individuals  Uke  a  battery 
of  leadership  assessment  tests  and  are 
coached  individually  by  HR  profes¬ 
sionals  and  top  IT  managers  to  nurture 
their  strengths  and  improve  upon  their 
weaknesses. 

Throughout  a  i2-to-i8-month  period, 
participants  are  formally  observ^  by 
the  CIO,  given  assessments  every  three 
months  and  take  part  in  sessions  where 
they  get  feedback  from  their  peers. 

So  fat,  seven  IT  employees  have  gone 
through  the  program. 

CIO  Larry  Pickett  says  an  inter¬ 
nal  program  works  best  on  this  level 
because  participants  can’t  manipulate 
the  scenarios  they  encounter,  like  they 
could  in  external  leadership  programs. 
“In  external  programs,  it’s  a  case  study 
you’re  working  on,  not  a  real-wotid 
example,"  Pickett  explains.  “Our  train¬ 
ing  is  based  on  actual  observation  in  the 
workplace,  and  you  can’t  fake  it."  • 
Stackpole.  a  fmjueni  Computerworld 
contributor,  bos  reported  on  business  and 
technofogy  formotethanzoyenrs. 


ORDER 

the 

COMBO: 

INTERNAL  AND 
EXTERNAL  TRAINING 


nfllwtM? 

Executive  coach  Judy  Arteche-Carr 
votes  lor  the  combo.  Arteche-Carr  is 
a  member  of  the  Society  lot  Informa¬ 
tion  Managemem’s  Executive  Man¬ 
agement  Council,  and  she’s  manag¬ 
ing  director  of  Arteche  Global  Group, 
a  management  consulting  company 
that  offers  personal  coaching  for  C- 


Arteche-Carr  says  internal  pro¬ 
grams  take  into  account  the  dynamics  of  a  company  and  foster  team-building,  but  they 
can  be  limited  in  scope  and  lack  outside  perspectives.  External  training,  on  the  other 
hand,  provides  exposure  to  the  best  practices  of  other  companies  and  offers  networking 
opportunities,  but  it's  not  specifkally  tailored  to  an  individual’s  or  a  company's  needs. 


from.'  she  explains.  “It's  all  dependent  on  the  company  environment  and  the  CIO's  resources.' 

In  any  case,  it’s  really  the  content  of  the  program  that's  critical  to  developing  high- 
performing  IT  leaders.  The  focus  should  be  on  soft  skills  like  ‘influence  managemem.' 
presentation  skills  and  writing,  as  well  as  understanding  globalization,  says  Aneche-Carr. 

-  SETH  STACKPOLE 


18  COHPUTERWOaiD  FEBRUARY  7. 


Cloud  by  Van  Gogh,  1890 


Cloud  by  SunGard,  2011 


A  work  of  art  in  secure  computing. 


Building  a  better  cloud  takes  a  revolutionary  approach  to 
virtualization  that  goes  far  beyond  conventional  solutions. 
With  a  resilient  infrastructure  and  robust  security,  SunGard 
provides  maximum  protection  and  a  fully  managed  solution 
that  virtually  eliminates  the  risk  of  failure.  Navigate  the  cloud 
with  confidence  as  it  dynamically  scales  to  meet  your  needs. 
With  leading-edge  technology  and  a  staff  of  accomplished 
professionals,  SunGard  can  help  make  your  next  cloud 
computing  project  a  work  of  art. 


Download  the  white  paper 
'Building  a  Better  Cloud' 
at:  sungardas.com/cloud11 


SUNGARD  AVAILABILITY  SERVICES 


VIRTUALIZATION 


CONFUSION 


w 


iN  DATAPRISE  INC.,  an  IT  sei- 
xs  OHnpany,  helped  a  customer 
with  a  desktop  virtualization 
project  last  year,  it  found  itself 
with  desktop  virtualiza¬ 
tion’s  dirty  little  secret:  No  one  —  including  vendors 


REIGNS 


Having  run  a  successful  pilot,  Datc^rise’s  client 
wanted  to  take  the  next  step  ^  deploy  700  virtual 
desktops,  says  Chris  Sousa,  director  of  infrastructure 
service  at  Dataprise.  That’s  vsdien  the  trouble  began. 
Like  many  businesses,  the  customer  —  a  manuhictur' 

20  COHPUTERWORLO  FEBRUARY  7,  2011 


SOFTWARE  LICENSING  FOR  DESKTOP 
VIRTUALIZATION  IS  COMPLEX.  EVEN  VENDORS 
STRUGGLE  WITH  IT.  BY  TAM  HARBERT 


We  were  trying  to  be 
upstanding  citizens 
and  not  rip  anybody  off, 
but  we  couldn't  get 
definitive  answers. 

CHRIS  SOUSA,  DIRECTOR  OF  INFRASTRUCTURE 
SERVICE.  DATAPRI5E  INC. 


er  of  fiber-optic  cable  —  had  an  enterprise  agreement 
with  Microsoft  Corp..  but  its  [T  staff  wasn't  sure 

ment.  Apparently,  neither  was  Microsoft,  says  Sousa, 
who  noted  that  he  called  the  company  repeatedly 
seeking  information. 

“We’d  get  a  different  answ'er  from  a  diffemnt 
person  on  a  different  dav.  Jiie  says. 

In  a  200g  study  by  Info-Tech  Research  Group  Inc.. 
Microsoft  Windows  licensing  was  identified  as  the 
No.  1  pain  point  for  organizations  implementing 
desktop  virtualization,  according  to  Info-Tech  analyst 
John  Sloan. 

Microsoft  claims  that  it  has  tried  to  improve  its 
virtualization  pricing  policies.  Most  recently,  the 
company  relaxed  its  licensing  rules  for  virtual  desktt^ 
and  expanded  rights  to  access  a  given  virtual  desktop 
from  more  than  one  computer.  (See  stor>-  at  right.) 

The  changes  are  “a  step  in  the  right  direction." 
says  Sloan,  but  he  adds  that  Microsoft  “hasn’t  gone 
as  far  as  many  ^\'ould  like."  For  example,  although 
the  new  roaming  rights  allow  users  to  log  into  their 
virtual  desktops  from  devices  outside  of  the  corpo¬ 
rate  fireiA-all,  such  as  home  PCs  or  airport  kiosks,  the 
virtual  desktop  is  still  licensed  to  a  specific  corporate 

virtual  desktop  from  another  corporate  PC.  like  one 
in  a  branch  office.  Sloan  explains. 

Confused  yet?  Microsoft  licensing  “is  still  so 
complicated  that  users  and  even  resellers  don't  under¬ 
stand  it,"  says  Barb  Goldworm.  president  arid  chief 
analyst  at  consultancy  Focus  LLC.  Not  only  are  the 
specific  vendor  rules  confusing,  but  IT  managers  also 
mix  up  the  licensing  of  the  virtualization  software 

desktop  running  on  a  back-end  hypervisor)  and  the 
licensing  of  the  software  that  actually  runs  on  the 
desktop  (the  operating  system  and  applications). 

The  Vendors’  Struggle 

But  the  problem  Is  bigger  than  just  Microsoft.  All 
software  vendors  are  struggling  with  this  issue  to 

XenDesktop  4,  it  changed  from  its  traditional 


thev  needed  more  flexibility.  In  some  irnlustries.  for 
example,  multiple  users  share  the  ^me  device. 

So  Citrix  quickly  added  per-device  licensing  and 
brought  back  concurrent  licensing  lor  its  Virtual 
Desktop  Infrastructure  edition,  says  Calvin  Hsu. 
director  of  produa  marketing  at  Citrix. 

In  some  cases.  IT  managers  lhro>\'  up  their  hands 
and  look  for  other  options.  When  Michael  Goodman 
discovered  that  he-d  have  to  buy  tw’o  licenses  for  the 
same  Windows  curating  system  —  one  for  a  thin 
client  and  one  for  the  operating  system  running  on 
the  server  —  ‘it  really  knocked  down  my  payback 
period  on  the  ROI."  he  savs.  That  was  one  of  the 
reasons  the  vice  president  and  director  of  Informa¬ 
tion  systems  and  technology  at  Crescent  State  Bank 
in  Cary.  N.C.,  skipped  thin  clients  and  went  with  a 


MICROSOFTS 
POUCY  MOVES 


dM  pHt  HMTil  van.  says  Oai  Vu,  the  company^  (Sreclor  of  vlrtualizaiion 
piodua  managemenL -Uonsing  and  vimiaization  are  inherently  complex, 
and  we'ye  actualy  done  a  number  ol  things  to  simpWv  It.' he  says.  In  March 
201a  Microsoft  announced  changes  to  its  virtual  desktop  licensing  policies 
that  went  Into  effect  July  L  Hen  are  the  two  most  significant  updates: 


tomers  had  to  purchase  an  addUonai  ioense.  called  a  vktual  Enterprise 
Centralized  Desktop  (VE(B  tcense.  to  run  any  VAndows  desktop  operating 
system  as  a  server-hosted  deddpp.  The  VECO  cost  $23  per  device  per  year 
for  compweis  covered  by  Windows  Client  Software  Assurance.  For  those 
not  covered  by  SA,  the  cost  was  tUO  per  device  per  year. 

Now  Microsoft  has  ditched  the  VECO  and  nckides  virtual  desktop  access 
rights  as  a  benefit  of  SA.  For  computers  not  covered  by  SA,  MIcrQsoft  has 
created  a  new  license,  called  the  Virtual  Desktop  Aoess  (VOA)  Bcense.  which 
costs  $100  per  device  per  year. 

In  addition,  if  you're  running  the  virtual  desktop  on  a  thki  cient  rather 
than  on  a  PC.  that  also  requins  a  VOA  license  at  $100  per  device  per  year 
(and  this  appkes  to  SA  customers  as  wen.  since  thki  dents  carmot  be  cov¬ 
ered  under  SA). 

■  UbmtaidiMBlii|ilgMi.Prevkiusly.uicrosaftlk)ensesdidntal- 
kw  customers  ID  access  a  spedlic  virtual  desktop  from  anything  but  then 
own  Windows-licensed  corporate  PCS.  The  oniy  way  for  a  user  to  legally  ac¬ 
cess  her  vktual  desktop  tram  a  home  PC  was  to  buy  a  VECO  kxnse. 

Novv.  under  dienl  SA  and  the  new  VOA  icense.  customers  can  access  thek 
vktual  desktops  and  Mkrosoft  Office  appikalions  hasted  on  Vktual  Desktop 
mfrastructure  technology  from  other,  noncorporate  computers. 


21 


VIRTUALIZATION 


VIRTUALIZATION 


A  GUIDE  TO  THE 
LICENSING  MAZE 


Complex,  Like  the  Tax  Code 

Software  licensing  for  virtual  desktops  is  incredibly 
complex,  confusing  and,  in  some  cases,  prohibitively 
expensive.  “It’s  like  the  IRS  tax  code,”  says  Dave 
Buchholz,  principal  engineer  at  Intel  Cotp.’s  Intel 
IT  unit,  who  has  been  rutming  a  research  project 
that  looks  into  all  aspects  of  desktop  and  application 

The  problem  is  multifaceted.  Like  with  an  onion. 


infrastructure,  application  virtualization  and  operat¬ 
ing  system  streaming.  And  different  types  of  licens¬ 
ing  plans  can  apply  to  the  different  flavors.  Moreover, 
there  are  many  different  layers  of  software  in  any 
virtualized  environment  —  the  operating  system,  the 
virtualization  software  itself,  the  appUcations  —  each 
of  which  has  its  own  licensing  requirements. 

The  confusion  over  licensing  of  Micrtrsoft  prod- 


500  desktops,  and  he  expects  to  teach  2,000  of  the 
company’s  13,000  employees  within  a  year. 

When  Galinsky  started  the  pilot,  he  bought  Micro¬ 
soft’s  Virtual  Enterprise  Centralized  Desktop  licenses 
for  the  virtual  desktops.  But  as  of  luly  1,  the  VECD 
disappeared,  and  those  rights  are  now  included  in  the 
SA  program,  which  for  all  practical  purposes  bases 


BUSINESS  CONTINUITY 

1  , 

’TTVl 

i  1  ii 

♦  i  if 

;  f  H 

Calculated 


IT  managers  are  getting  better  at  using 
hard  numbers  to  score  more  funds  for 
disaster  recovery  projects. 


D  RICKS  didn’t  have  to 


nufacturc 


ttives  at  Beaufort  Memorial  Hospital 
in  South  Carolina  that  they  needed  to 
boost  spending  on  husiness  continuity 
and  disaster  recovery  systems. 

On  his  first  day  as  CIO  at  the  hospital,  a  lightning 
storm  knocked  out  power.  The  hospital  immediately 
switched  to  a  generator,  but  the  backup  system  didn't 
include  power  for  air  conditioning  or  communica¬ 
tions.  “Our  data  center  got  too  warm,  and  we  had  to 
start  shutting  servers  down,"  Ricks  recalls.  The  hospi¬ 
tal  also  lost  communications  links  to  other  focilities. 

From  a  CIO's  perspective,  “It  was  almost  too  good 
to  be  true  for  me,”  Ricks  says.  “The  situation  wasn’t 


24 


even  as  bad  as  it  can  get,  but  it 
showed  what  couJd  happen.  It 
was  really  obvious  that  we  had  to 
do  something  to  make  sure  that 
we’re  always  operational.” 

Today,  the  hospital  has  a 
disaster  recovery  site  with  real¬ 
time  data  backup.  Ricks  plans 
to  expand  the  site's  capabilities 
and  add  virtual  serveis  by  the 
end  of  this  year.  Total  cost:  about 
$i  million. 

For  most  FT  managers,  however,  it  takes  more  than 
a  well-timed  act  of  nature  to  convince  executives  to 
invest  rntne  in  business  continuity  and  disaster  recov¬ 
ery.  It  takes  a  compelling  story  that’s  full  of  the  hard 
numbers  that  executives  appreciate. 

In  the  past,  it  was  hard  to  make  a  business  case  for 
disaster  recovery  systems  because  they  were  viewed 
as  expensive  insurance  policies  against  things  that 
might  not  happen.  But  a  Forrester  Research  Inc. 
report  says  that’s  changing  because  IT  managers  are 
getting  better  at  quantifying  risks  and  assessing  the 
impact  of  a  disruption. 

”lt’s  more  of  an  art  than  a  science,”  says  Forrester 
analyst  Rachel  Dines.  ”Most  executives  don’t  realize 
how  much  it  costs.  We’re  talking  about  millions  of 
doUais.  So  it’s  really  all  about  how  you  pitch  it.” 

As  the  Forrester  report  puts  it:  “It’s  much  more 
likely  that  a  CIO  or  other  executive  will  approve 
budget  for  a  [business  continuity/disaster  recovery] 
upgrade  if  you  can  explain  that  in  the  next  five  years 
there  is  a  20%  probability  that  a  severe  winter  storm 
will  knock  out  power  to  the  dau  center  and  cost 
$500,000  in  lost  revenue  and  employee  productivity.” 

So,  how  can  IT  nranagers  come  up  with  hard 
numbers  to  quantify  the  need  for  business  continuity 
and  disaster  recovery  spending?  EKnes  suggests  that 
companies  take  these  steps: 

each  risk  in  your  geographic  area.  Next,  list  the  likely 
number  of  hours  of  downtirrK  that  might  tesuh  from 
outages  caused  by  each  of  those  risks.  In  a  third  cohrmn, 
list  the  percent^  chance  of  such  an  event  happening 
inayear.  Finally,  multiply  all  ofthat  by  your  hourly  cost 
of  downtime  to  arrive  at  your  annualized  risk  cost. 

“That  can  be  a  pretty  good  way  of  guiding  technol¬ 
ogy  investments  that  can  eliminate  that  risk  —  such 
as  investing  in  remote-access  procedures  for  a  winter 

Cakulate  bowiy  CKt  Of  dMnNtaM.  Figuring 
out  the  cost  of  downtime  can  be  daunting,  because 
outages  have  both  tangible  and  intangible  costs.  Start 
by  calculating  the  most  obvious  numbers,  like  revenue 
losses  or  productivity  losses  for  salaried  employees 
who  would  be  unable  to  work;  those  are  usually  the 
biggest  downtitne-rdated  costs  anyway.  Also  explore 
any  penalties  you’d  incur  if  you  weren’t  able  to  comply 
with  regulations  because  your  systems  were  down. 


6%  to  7% 


as  a  loss  of  customers,  a  decrease 
in  customer  satisfaction  or  hits  to 
your  company’s  repuUtion  and 
employee  morale  —  are  harder  to 
quantify;  you  might  try  to  calcu¬ 
late  them  by  looking  at  the  impact 
of  similar  events  on  your  company 
or  a  competitor  in  the  past. 

At  Troy  University  in  hurri¬ 
cane-prone  Alabama,  Greg  Price 
has  a  simple  goal:  “We  don’t  want  our  services  to  go 
down  for  a  second.”  With  30,000  students  in  17  time 
zones  around  the  globe,  the  univetsity  can’t  tolerate 
downtime.  So  Price,  IVoy’s  chief  security  and  tech¬ 
nology  officer,  carefully  gathered  dau  to  reinforce  his 
argument  that  the  univetsity  needed  a  new  remote 
daU  center  to  replace  an  outdated  facility. 

He  cdlected  rs  years  of  histmical  dau  that  showed 
the  probability  that  certain  events  —  categorized  as 
minor,  major  or  significant  —  would  afiect  the  Iriry, 
Ala.^  campus.  Here’s  what  be  found: 

■  About  75%  of  Iriry’srr  service  interruptioos  are 
consideted  “minor,”  meaning  service  is  krxicked  out 
for  less  than  two  hours,  usually  due  to  a  power  outage 
or  Internet  service  problem.  (Troy  had  28  minor 

■  IVventy-two  percent  of  the  incidents  are  con¬ 
sidered  “major,”  meaning  service  is  disrupted  for  two 
to  eight  hours,  often  due  to  construction  mishaps  or 


5  ties  and  mdustry  groups  have  issiied  at  least  22  regulations  or  industry 
standards  to  address  business  continuitv  and  dbaster  leoMeiY,  accord¬ 
ing  R>  a  Forrester  Research  report  Mhough  many  of  the  programs  are 
voluntary,  they  nevertheless  have  prompted  some  compares  to  fund 
addWonal  txsiriess  condnuty  arri  disaster  reawery  projects. 

But  companies  that  make  bnestments  just  to  comply  with  a  regulalion  or  industry 
standard  are  missing  the  poM.  experts  say.  “Unfortunately,  they  realy  just  wart  10 
check  the  box' wid  spend  as  aide  as  possUe  on  business  continuity  in  order  to  be  com- 


BUSINESS  CONTINUITY 


If  you  need  data  about  incidents  in  other  countries, 
one  resource  is  the  Web  site  of  EuioStat,  the  Euro¬ 
pean  Union’s  official  statistical  agency. 

Making  the  Business  Case 

Beyond  the  numbers,  IT  leaders  have  been  successful 
in  scoring  funds  for  business  continuity  and  disaster 
recovery  projects  when  the  business  units  and  risk 
management  peisonnel  help  explain  the  need  in  busi¬ 
ness  terms.  A  survey  of  345  Disaster  Recovery  foumal 
subscribers  showed  that  about  65%  of  business  con¬ 
tinuity  management  teams  work  with  their  business 
units  to  determine  the  impact  of  risk. 

Here  are  more  tips  for  winnit^  over  non-IT 


element  and  why  each  one  cost  so  much. 

“Typically,  the  justification  would  be  more  than 
just  recoverability,”  Kem  says.  “We  also  talked  about 
storage  management  and  defined  all  the  pieces  and 
parts  that  would  help  beyond  just  recoverability  and 
made  sure  those  were  apparent." 

After  six  years  at  MutualBank,  Kem  has  learned 
to  tailor  his  pitch  to  each  executive:  “It’s  a  matter 
of  finding  the  right  hot  buttons  for  the  right  execu¬ 
tive.  [Include]  something  for  everyone.  Tlien  keep  it 
short  and  understandable  to  a  nontechnology  person. 
They  need  to  be  shown  the  business  value  within  the 
technology." 

Kem  also  suggests  getting  an  unbiased  third  party. 


Jeff  Weber,  managing  director  at  Protiviti  Inc.,  a  risk 
consulting  firm  based  in  Menlo  Park,  Calif. 

Consequently,  IT  manners  may  need  to  exploit  the 
latest  catastrophes,  pandemics  and  security  breaches 
to  get  the  attention  of  senior  executives,  the  Forrester 
report  says.  Rememben  It  was  a  lightning  storm  that 
helped  to  produce  a  $1  million  investment  in  disaster  re¬ 
covery  improvements  at  Beaufort  Memorial  Hospital.  • 
Collett  is  a  Computerworld  contributing  writer. 

Contact  her  at  stcollen@ao(.com. 


Trouble 

Ticket 


oumai 


Getting  a  Handle  on  Our  Data 

mproveddata  handling shon...  an  easy  Viin ; . 
manager,  who  is  especially  excited  about  ip  tecti» 


Three  months  into  my  new 
job,  I'w  had  a  chance  to  assess 
the  landscape  and  establish 
some  priorities.  No.  i  will  be 
the  way  we  handle  data. 

There’s  a  very  practical  reason  for 
this.  Before  I  arrived,  the  company  had 
spent  a  lot  of  money  on  a  third^urty  data 
assessment.  The  findings  were  startling, 
and  the  CFO  expects  remediation  in 
short  order.  I  want  to  capitalize  on  that. 

But  at  least  one  aspect  of  data  han¬ 
dling  is  near  and  dear  to  the  heart  of  any 
security  professional:  the 
protection  of  intellectual 
property.  The  other  goals 
of  our  project  to  improve 

classification  and  data 

Legal;  by  including  them,  I  can  get  some 
traction  and  some  valuable  collaboration 
time  with  that  department.  Some  wins 
there  should  serve  the  juicier  IP  protec¬ 
tion  aspect  well. 

I  will  recommend  to  Legal  that  we 
come  up  with  two  or  three  data  clas¬ 
sifications,  such  as  “Confidential  and 
Restricted”  or  “Confidential  and  Special 
Handling.”  Once  Legal  and  some  other 
key  business  units  agree  on  the  classifica- 


piocesses  so  that  workers  can  determine 
the  classification  of  data  and  mark  or 
protect  it  accordingly. 

As  for  data  retention,  1  will  work 
closely  with  our  internal  counsel  and, 
most  likely,  a  firm  with  experience  in 
retention  law.  Various  federal  and  state 
laws  require  companies  to  keep  certain 
documents  for  specified  time  periods. 

We  will  want  to  develop  a  policy  and  a 
retention  schedule  for  all  the  categories 
of  documents  that  we  are  required  to 
keep.  Next,  1  will  add 
information  on  these 

my  security  awareness 
trainir^  program.  And 
we’ll  need  to  ensure 
that  we  have  a  place  for  storing  retained 
dau  that  can  accommodate  everything 
from  e-mail  messages  and  attachments 
to  Oracle  Financials  and  PeopleSoft  HR 
documents. 

ROlforiP 

With  the  program  to  protect  our  intel¬ 
lectual  property,  there  is  a  chaixe  that 
I  will  be  able  to  expand  my  staff  and 
security  infrastructure.  T^t’s  because  IP 
protection  is  one  of  the  few  technology 


initiatives  that  has  the  potential  to  gener- 

an  employee  who  is  planning  to  leave  the 
company  e-mails  himself  the  source  code 
for  one  of  our  next-generation  products 
before  his  departure.  If  he  is  successful 
aitd  isn’t  detected  in  time,  he  could  sell 
that  code  or  use  it  himself  in  ways  that 
would  directly  ami  negatively  affect  our 

But  there  are  certain  tools  that  can 
detect  such  activity,  giving  us  a  chance 
to  stop  potential  thieves  before  they  can 
ahscood  with  thevirtual  goods.  I  hope  to 
get  the  go-ahead  —  and  the  budget  —  to 
deploy  them. 

To  he  specific,  I  am  bullish  on  data 
leak  protection  software.  1  used  it  at 
my  previous  company  to  detect  when 
intellectual  property  inadvertently  or 
intentionally  left  the  company  network. 

To  my  mind,  daU  leak  protection 
software  pays  for  itself.  I  also  like  digital 
rights  management  as  a  way  to  prevent 
copying  that  can  result  in  our  IP  ending 
up  in  the  wrong  hands. 

I  have  told  our  legal  counsel  about  the 
potential  savings  we  could  realize  with 
such  tools,  and  he  is  interested  in  movii^ 
forward  with  the  effort.  I’ll  keep  evan¬ 
gelizing  for  this  program  through  focus 
groups  and  other  forums.  I’m  keeping 
my  fingers  crossed  that  I  will  be  allowed 
to  procure  the  appropriate  resources  to 
make  this  a  succKsful  initiative.  * 

This  week's  journal  is  written  by  a  ml 

whose  name  and  employer  have  been  disguised 
/br  obvious  reasons.  Contact  him  or  nuthios. 
tluimian@>)nIuoxom. 


cc 


With  a  program  to  protect  our  IP,  I  might  be  abie  to 
expand  my  staff  and  security  infrastructure. 


27 


High  Priorities 

When  large  enterprises  were  asked  to  name  their  top  IT  priorities  for 
the  next  12  months,  disaster  recovery  ranked  No.  2: 


Three  months  into  my  new 
job.  I’ve  had  a  chance  to  assess 
the  landscape  and  establish 
some  priorities.  No.  i  will  be 
the  way  we  handle  data. 

There’s  a  very  practical  reason  for 
this.  Before  1  arrived,  the  company  had 
spent  a  lot  of  money  on  a  third-party  data 
assessment.  The  findings  were  startling, 
and  the  CFO  expects  remediation  in 
short  order.  I  want  to  capitalize  on  that. 

But  at  least  one  aspect  of  data  han¬ 
dling  is  near  and  dear  to  the  heart  of  any 
security  professional:  the 
protection  of  intellectual 
projjerty.  The  other  goals 
of  our  project  to  improve 
data  handling  —  data 
classification  and  data ' 

Legal;  by  including  them,  I  can  get  some 
traction  and  some  valuable  collaboration 
time  with  that  department.  Some  wins 
there  should  serve  the  juicier  IP  protec¬ 
tion  aspect  well. 

I  will  recommend  to  Legal  that  we 
come  up  with  two  or  three  data  clas¬ 
sifications,  such  as  "Confidential  and 
Restricted"  or  "Confidential  and  Special 
Handling."  Once  Legal  and  some  other 
key  business  units  agree  on  the  classifica- 


tionsy  we  can  create  some  policies  and 
processes  so  that  workers  can  determine 
the  classification  of  data  and  mark  or 
protect  it  accordingly. 

As  for  data  retention.  I  will  work 
closely  with  our  internal  counsel  and. 
most  likely,  a  firm  with  experience  in 

laws  require  companies  to  keep  certain 
documents  for  specified  time  periods. 
We  will  want  to  develop  a  policy  and  a 
retention  schedule  for  all  the  categories 
of  documents  that  we  are  required  to 
keep.  Next.  I  will  add 


that  w  have  a  place  for  storing  retained 
data  that  can  accommodate  everylhing 
from  e-mail  messages  and  attachments 
to  Oracle  Financials  and  PeopleSoft  HR 

ROI  for  IP 

With  the  program  to  protect  our  intel¬ 
lectual  property,  there  is  a  chance  that 
I  will  be  able  to  expand  my  staff  and 
security  infrastructure.  That’s  because  IP 
protection  is  one  of  the  few  techiralt^ 


elention  policies  to 
raining  program.  And 


With  a  program  to  protect  our  IP,  I  might  be  abie  to 
expand  my  staff  and  security  infrastructure. 


an  employ'ee  who  is  planning  to  leave  the 
company  e-mails  himself  the  source  code 
for  one  of  oiir  next-generation  products 
before  his  departure.  If  he  is  successful 
and  isn’t  detected  in  lime,  he  could  stdl 
that  code  or  use  it  himself  in  ways  that 
would  directly  and  negatively  affect  our 
future  revenue. 

But  there  are  certain  tools  that  can 
detect  such  activity,  giving  us  a  chance 
to  st<^  potential  thieves  before  they'  can 
abscond  with  the  virtual  goods.  I  h<^  to 
get  the  go-ahead  —  and  tlie  budget  —  to 
deploy  them. 

To  be  specific.  I  am  bullish  on  data 
leak  protection  softw^are.  I  used  H  at 
my  previous  company  to  detect  when 
intellectual  fwoperty  inadvertently  or 
intentionally  left  the  company  network. 

To  my  mind,  data  leak  protection 
software  pays  for  itself.  1  also  like  digital 
rights  management  as  a  way  to  prevent 
copyingihat can  result  incur  IPending 
up  in  the  wrong  haitds. 

I  have  tdd  our  legal  counsel  about  the 
potential  savings  we  could  realize  with 
such  tools,  and  Ik?  is  interested  in  mov  ing 
forward  with  tlie  effort.  I'll  keep  evan- 
^lizing  for  this  program  through  focus 
groups  and  other  forums.  I’m  keeping 
my  fingers  crossed  that  I  will  be  allowed 
to  procure  the  appn)priaie  resources  to 
make  this  a  sttccessful  initiative.  ♦ 

seniritv  rnunagi'r.  ‘^Mathias  Thurmanf" 

C^.TE.WO.iD.CO.  27 


Career 

Watch 


trust  among  employees?  wtieii  trust  In  a  workplace  remains 
broken,  no  one  wins.  Not  Individuals.  Not  teams:  Not  organiza¬ 
tions.  What's  more,  the  consequences  come  with  a  high  price.  On 
the  "hard"  side  of  businesses,  we  see  major  hits  to  productivity, 
performance  and  even  profits.  On  the  softer  side,  we  see  people 
lose  confidence,  commitment  and  energy.  They  disengage  in  a 
variety  of  ways  for  a  variety  of  reasons  -  most  often,  a  certain 
level  of  anger  of  fear.  In  interviews  with  individuals  and  teams, 
we  hear  comments  like  ‘Tm  just  going  through  the  motions"  or 
"We've  lost  all  passion  and  creativity." 


Workplace 


Dennis  and 
Michelle 
Reina 

Rebuilding  Trust  in  the 


In  affect  the  U.S.  workplace?  The  Great 
Recession  rocked  workplaces  everywhere,  and  the  very  under¬ 
pinnings  of  trust  were  upended. 

According  to  a  recent  workplace  suryey  by  consulting  firrri  Deloitte 
LLP.  one-third  of  working  Americans  say  they  plan  to  look  for  a 
new  job  when  the  economy  gets  better,  and.  of  this  group.  48% 
cite  a  loss  of  trust  in  their  employer  as  the  reason.  The  hidden 
"aha"?  Even  now.  when  many  employees  are  choosing  to  stay  put. 
they  have  "quit."  In  the  absence  of  trust,  they  have  checked  out. 

Also,  major  betrayals  in  the  workplace  -  from  companies 
mismanaging  layoffs  to  CEOs  committing  crimes  -  can.  and  do. 
make  headlines.  They  are  not  the  only  source  of  trouble,  though. 
Minor  betrayals,  such  as  gossiping,  finger-pointing  or  taking 
credit  for  others'  work,  are  more  pervasive  and  erode  trust  over 
time.  The  accumulation  of  little  betrayals  becomes  a  big  prob¬ 
lem,  in  fact.  according  to  our  research.  90%  of  employees  report 
that  they  feel  the  effects  of  eroded  trust  daily. 


Whether  you  have  been  betrayed,  have  betrayed  someone  else 
or  have  a  role,  such  as  manager  or  team  leader,  where  you  want 
or  need  to  help  others,  we  recommend  a  seven-step  process, 
drawn  from  two  decades  of  research,  for  healing  and  rebuilding 
trust.  This  seven-step  process  isn't  a  silver  bullet.  It  does,  how¬ 
ever.  provide  a  framework  for  taking  concrete,  constructive  and 


is  often  exper ienced  as  a  loss  -  the  loss  of  what  was  or  what 
could  have  been.  Acknowledge  that  loss  and  recognize  its  impact. 
Q  Allow  feelings  to  surface.  Give  yourself  permission  to  feel 
your  emotions,  whatever  they  may  be.  and  hnd  proper  ways  to 


Q  Reframetheexp 

text.  Look  at  the  big  pic 
and  opportunities  in  front  of  you. 

0  Take  responsibility.  Own  up  to  what  is  yours  to  own. 
acknowledge  the  lessons  learned,  and  ask  how  you  can  help  im¬ 
prove  the  current  situation. 

^  Forgive  yourself  and  others.  Forgiving  doesn't  mean 
excusing;  it  means  acknowledging  how  broken  trust  has  affected 
you.  as  welt  as  others,  and  then  releasing  yourself  from  energy- 

Q  let  go  and  move  on.  There  is  a  difference  between  re¬ 
membering  and  "hanging  on."  You  may  not  forget  a  betrayal, 
but  you  can  make  a  conscious  choice  to  look  lorward  rather  than 


re.  plus  consider  the  personal  choices 


Career 

Watch 


Dennis  and 
Michelle 
_  Reina 

The  co-authors  of  Rebuilding  Trust  in  the 
Workplace  discuss  the  effects  of  the  recession 
on  the  trust  between  employers  and  workers. 


Recesskin  rocked  workplaces  everywhere,  and  the  very  under¬ 
pinnings  of  trust  were  upended. 

According  to  a  recent  vrorkplace  survey  by  consulting  nrm  Deloitte 
LLP.  one-third  of  vrorking  Americanssay  they  plan  to  look  for  a 
new  job  when  the  economy  gets  better,  and.  of  this  group.  48% 


tnist  arnont  cmployccd?  when  trust  in  a  vrorkplace  remains 
broken,  no  one  wins.  Not  individuals.  Not  teams.  Not  organiza- 
fions.  What's  more,  the  consequences  come  with  a  high  price.  On 
the  "hard'  side  of  businesses,  we  see  major  hits  to  productivity, 
performance  and  even  profits.  On  the  softer  side,  we  see  people 
lose  confidence,  commitment  and  energy.  They  disengage  in  a 
variety  of  ways  for  a  variety  of  reasons  -  most  often,  a  certain 
level  of  anger  or  fear.  In  interviews  with  individuals  and  teams, 
we  hear  comments  like  Tm  just  going  through  the  motions'  or 
'We’ve  lost  all  passion  and  creativity." 

Once  tnat  hai  bMB  bmdMd,  how  can  n  be  restored?  Trust 
is  fragile.  In  the  workplace,  as  in  life.  It  will  be  built  and  it  will  be 
broken  -  a  natural  part  of  human  interaction.  The  key.  then,  to 
sustaining  trust  is  to  know  how  to  rebuild  it  again  and  again. 

Whether  you  have  been  betrayed,  have  betrayed  someone  else 
or  have  a  role,  such  as  manager  or  team  leader,  where  you  want 
or  need  to  help  others,  we  recommend  a  seven-step  process, 
drawn  from  two  decades  of  research,  for  healing  and  rebuilding 
trust.  This  seven-step  process  isn't  a  silver  bullet.  It  does,  how¬ 
ever.  provide  a  framework  for  taking  concrete,  constructive  and 


is  often  experienced  as  a  loss  -  the  loss  of  what  was  or  what 
could  have  been.  Acknowledge  that  loss  and  recognize  its  impact. 
^  Allow  feelings  to  surface.  Give  yourself  permission  to  feel 
your  emotions,  whatever  they  may  be.  and  find  proper  ways  to 
express  them. 

^  Get  and  give  support.  Ask  for  help  in  recognizing  where 
you’re  stuck  and  how  you  can  shift  from  blaming  to  problem- 

Reframe  the  enperience.  Put  the  event  into  a  larger  con- 
Look  at  the  big  picture,  plus  consider  the  personal  choices 
and  opportunities  in  front  of  you. 

^  Take  responsibility.  Own  up  to  what  is  yours  to  own. 


MARKETPLACE 


5fnait  Choice  for 

I  Text  Retrieval*  sirtce  1991 

Instantly  Search  Terabytes  of  Text 


Highlights  hits  in  a  wide  range  of  data,  using  dtSearch's 
own  file  parsers  and  converters 

«  Supports  MS  Office  through  2010  (Word,  Excel,  PowerPoint, 
Access),  OpenOffice,  ZIP,  HTML,  XML/XSL,  PDF  and  more 

•  Supports  Exchange,  Outlook,  Thunderbird  and  other 
popular  email  types,  including  nested  and  ZIP  attachments 

•  Spider  supports  static  and  dynamic  web  data  like  ASP.NET, 
MS  SharePoint,  CMS,  PHP,  etc. 

•  API  for  SQL-type  data,  including  BLOB  data 

25+  full-text  and  fielded  data  search  options 


WHhdtSeaidc-EndlMS 
indexing  is  now  a  faieeze* 
Computenrortd 


njghtningfast- 
performance  was 


Ask  about 

fully-functional 

evaluations! 


•  Advanced  data  classification  objects  _ 

APIs  for  C++,  Java  and  .NET  through  4.x  reviei 

•  Native  e4-bit  and  32-bit  Win  /  Linux  APIs;  .NET  Spider  API  «« s 

Content  extraction  only  licenses  available _ 

www.cltSearch.com  •  i-8oo-itfinds 


Environmental  Monitoring 

FOR  YOUR  DATA  CENTER 


k  OPINION 

mUIK  HAYES 


Sure  the  Cloud's  Insecure; 
It’s  Like  Everything  Else 


Many 
programmers 
don't  validate 
input  because, 
hey,  faster  is 
better,  right? 


Frank  Hayes 

has  been  covering 
the  intersection 
of  business  and  IT 
for  three  decades. 
Contact  him  at 
cw9frankhayes.e0m. 


WORRIED  ABOUT  SECURITY  IN  THE  CLOUD?  Fret  over  this  in¬ 
stead:  Last  month,  a  hacker  surfaced  who  claimed  he  can  sell 
access  to  more  than  a  dozen  government,  military  and  univer¬ 
sity  Web  sites  —  all  cracked  easily  because  of  bad  programming. 
Who  needs  the  cloud  for  lousy  security?  It’s  everywhere! 


Consider  whose  Web  sites  were  hacked  and 
oSered  for  sale  to  thieves  for  less  than  $500 
each:  the  sutes  of  Michigan  aixl  Utah.  And  the 
South  Carolina  National  Guard.  And  government 
ageixries  in  Italy  and  Albania.  And,  maybe  most 
disturbing  of  all,  the  US.  Army’s  Communica- 
tions-Electronics  Command,  which  does  software 
engineering  for  battlefield  systems.  These  guys 
really  should  be  getting  their  programming  right. 

Oh,  it  gets  worse.  The  hacker  almost  certainly 
hijacked  the  sites  by  using  a  pair  of  tricks  that 
have  been  around  seemingly  forever:  SQL  injec¬ 
tion  and  buffer  overflow.  Those  attacks  don’t 
require  an  expert  black  hat  —  just  a  script  kiddie 
with  some  time  to  kill. 

And  those  attacks  ate  easy  to  prevent;  program¬ 
mers  just  have  to  set  things  up  so  that  the  system 
makes  sure  arry  input  to  a  Web  site  is  valid.  If  a 
form  asks  for  a  name  and  the  input  turns  out  to  be  a 
snippet  of  SQL  code  or  5,000  binary  bytes,  it  should 
be  rejected  —  not  passed  on  to  a  back-end  database. 

But  validating  input  retjuires  a  little  extra  code 
that  slows  down  Web  servers  jirst  a  Uttle  bit.  As  a 
result,  marry  programmers  —  and  most  program¬ 
ming  tools  —  don’t  do  it  automatically  because, 
hey,  faster  is  better,  right? 

That’s  been  the  mantra  of  the  IT  industry  for  50 
years.  And  it’s  been  a  curse  to  almost  everything 
else  of  value  in  IT.  Security?  Reliabiltty?  Flexibility? 
Mairrtainahility?  ’They’ve  all  been  sacrificed  in  favor 
of  cheap  little  tricks  that  make  things  run  foster. 

’That’s  not  a  coincidence.  It’s  a  philosc^hy  — 
one  that  infects  everyone  from  programmers  and 


network  admins  in  your  IT  shop  to  educators, 
software  arxl  hardware  vendors  and,  yes,  cloud 
vendors  too. 

After  all,  the  foster  the  servers  run  irp  in  the 
cloud,  the  more  customers  the  cloud  vendor  can 
handle  at  the  same  cost  When  your  profit  all 
turns  on  efficiency,  speed  is  money. 

Security?  That’s  expensive.  And  you  can  bet  it 
won’t  be  mote  of  a  priority  to  a  cost-cutting  doud 
vendor  —  whose  standard  contract  probably 
indirdes  an  uptime  guarantee  but  no  security¬ 
vetting  dause  —  than  it  ever  was  in  your  own 
datacenter. 

You  can’t  change  that  “foster  Qber  rtlles"  philoso- 
piiy.  So  if  you  want  security  in  the  doud,  you’ll 
have  to  force  the  issue.  You’ll  have  to  get  some 
security  guarantees  written  into  your  contracts, 
indudirig  provisions  that  allow  you  to  do  security 
testing  on  your  own  doud-based  applications. 

Then  you’ll  have  to  reinvest  some  of  your 
savings  from  going  to  the  (doud  into  dorrig  that 
security  testing  Hire  some  “ethical  backets"  to 
hamnaer  on  your  cloud  applications,  trying  to 
break  them,  hijack  them  or  find  ways  inside  them. 
Then  keep  bringing  them  back  periodically  to 
hammer  away  again  —  remember,  the  doud  is 
all  about  constantly  moving  applications  arourtd. 
What’s  safe  today  may  be  insecure  next  month. 

Does  that  sound  over  the  top?  Maybe  —  but 
it’s  the  only  way  for  you  to  validate  security  in 
the  doud. 

And  if  you  don’t  do  it,  you  can  be  pretty  sure 
that  sooner  or  later,  some  hacker  will  find  you.  • 


32  CO.PUTE.I 


+1 


